2017-12-15 19:36:50 +01:00
|
|
|
|
# Python peruser of systemd-journal
|
|
|
|
|
|
|
|
|
|
This program is intended to be used as a lightweight replacement for both epylog and fail2ban.
|
|
|
|
|
|
|
|
|
|
The wanted features are these:
|
|
|
|
|
|
|
|
|
|
* Peruse all log entries from systemd’s journal, and only those (ie: no log files).
|
|
|
|
|
* Passively wait on new entries; no active polling.
|
|
|
|
|
* Filter-out uninteresting log lines according to the settings.
|
|
|
|
|
* Act on matches in the journal, with some pre-defined actions.
|
|
|
|
|
* Create a daily report with 2 parts:
|
|
|
|
|
- events of interest (according to the settings),
|
|
|
|
|
- and other non-filtered-out log entries.
|
|
|
|
|
* Send an immediate email when something important happens (according to the settings).
|
|
|
|
|
|
|
|
|
|
Interesting [filtering entries](https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html) are:
|
|
|
|
|
* `_TRANSPORT`: how the log entry got to the journal (`stdout`, `syslog`, `journal`)
|
|
|
|
|
* `PRIORITY`: see https://en.wikipedia.org/wiki/Syslog#Severity_level
|
|
|
|
|
* `SYSLOG_FACILITY`: see https://en.wikipedia.org/wiki/Syslog#Facility
|
|
|
|
|
* `_CAP_EFFECTIVE`: effective capabilities as an hexadecimal mask
|
|
|
|
|
* `_BOOT_ID`: boot identifier (may be used to detect reboots)
|
|
|
|
|
* `_MACHINE_ID`: internal systemd ID for the machine where the log entry occurred
|
|
|
|
|
* `_HOSTNAME`: short hostname of the machine where the log entry occurred
|
|
|
|
|
* `_UID`: user ID of the systemd service that produced the log entry
|
|
|
|
|
* `_GID`: group ID of the systemd service that produced the log entry
|
|
|
|
|
* `SYSLOG_IDENTIFIER`: service name as reported to the “syslog” API
|
|
|
|
|
* `_COMM`: name of the command that produced the log entry
|
|
|
|
|
* `_EXE`: path to the executable file launched by systemd
|
|
|
|
|
* `_SYSTEMD_CGROUP`: cgroup of the service, eg. `/system.slice/systemd-uwsgi.slice/uwsgi@nextcloud.service`
|
|
|
|
|
* `_SYSTEMD_UNIT`: name of the systemd unit that produced the log entry
|
|
|
|
|
* `_SYSTEMD_SLICE`: name of the systemd slice
|
|
|
|
|
* `_CMDLINE`: process name as reported by the main process of the systemd service
|
|
|
|
|
* `_PID`: process ID of the systemd unit’s main process
|
|
|
|
|
* `MESSAGE`: the actual message of the log entry
|
|
|
|
|
* `__REALTIME_TIMESTAMP`: Python `datetime` of the log entry, formatted as: `YYYY-MM-DD HH:MM:SS:µµµµµµ`
|
2017-12-17 12:52:44 +01:00
|
|
|
|
|
|
|
|
|
The `/etc/pyruse` directory is where system-specific files are looked-for:
|
|
|
|
|
* the `pyruse.json` file that contains the configuration,
|
|
|
|
|
* the `pyruse/actions` and `pyruse/filters` subfolders, which may contain additional actions and filters.
|
|
|
|
|
|
|
|
|
|
Instead of using `/etc/pyruse`, an alternate directory may be specified with the `PYRUSE_EXTRA` environment variable.
|